Towards  a  Hierarchy  of  Cryptographic  Protocol  Models 


Catherine  Meadows 
Center  for  High  Assurance  Computer  Systems 
Naval  Research  Laboratory 
Code  5543 

Washington,  DC  20375 

meadows@itd.nrl.navy.mil 


ABSTRACT 

Recently  there  has  been  an  increasing  amount  of  research  in 
the  introduction  of  cryptographic  ideas  into  discrete  meth¬ 
ods  for  cryptographic  protocol  analysis.  This  is  often  done 
by  developing  a  discrete  model  and  a  cryptographic  model 
such  that  the  discrete  model  can  be  shown  sound  with  re¬ 
spect  to  the  cryptographic  model.  In  this  position  paper  we 
talk  about  some  of  the  other  issues  in  cryptographic  proto¬ 
col  analysis  that  could  be  addressed  with  this  approach,  and 
propose  a  hierarchy  of  models. 

Categories  and  Subject  Descriptors 

C.2.2  [Network  Protocols]:  security,  protocol  verification, 
theory 

General  Terms 

cryptographic  protocols,  formal  methods 

1.  INTRODUCTION 

The  application  of  formal  methods  to  the  analysis  of  cryp¬ 
tographic  protocols  has  been  an  active  field  of  research  in 
the  past  few  years.  However,  the  approach  of  using  dis¬ 
crete  methods  to  analyze  systems  that  are  based  on  crypto¬ 
graphic  algorithms  whose  security  is  based  on  probabilistic 
and  complexity  theoretic  arguments  has  raised  some  ques¬ 
tions.  Although  the  use  of  this  approach  has  led  to  the 
successful  discovery  of  bugs,  any  security  proof  it  provides 
rests  on  assumptions  that  are  for  the  most  part  unverified. 
The  realization  of  this  lack  has  led  to  the  recent  research 
in  the  development  of  security  models  amenable  to  discrete 
analysis  that  can  be  proved  sound  with  respect  to  more  de¬ 
tailed  cryptographic  models.  Such  results  can  be  helpful 
even  when  techniques  already  exist  for  proving  correctness 
with  respect  to  a  cryptographic  model  by  hand;  the  fact 
that  the  formal  techniques  can  be  automated  allows  one  to 
be  sure  that  the  proof  is  error-free  and  that  all  conditions 
have  been  covered. 


Permission  to  make  digital  or  hard  copies  of  all  or  part  of  this  work  for 
personal  or  classroom  use  is  granted  without  fee  provided  that  copies  are 
not  made  or  distributed  for  profit  or  commercial  advantage  and  that  copies 
bear  this  notice  and  the  full  citation  on  the  first  page.  To  copy  otherwise,  to 
republish,  to  post  on  servers  or  to  redistribute  to  lists,  requires  prior  specific 
permission  and/or  a  fee. 

FMSE’03,  October  30,  2003,  Washington,  DC,  USA. 

Copyright  2003  ACM  1-58113-781-8/03/0010  ...$5.00. 


The  point  of  this  position  paper  is  that  the  approach  of 
using  a  simpler  and  more  tractable  model  that  can  be  proven 
sound  with  respect  to  a  more  complex  and  detailed  model 
is  useful  for  handling  other  assumptions  than  cryptographic 
ones.  Ultimately,  it  may  make  more  sense  to  have  a  hierar¬ 
chy  of  models  rather  than  a  two-tiered  system.  We  develop 
these  ideas  in  more  details  below. 

2.  SOME  ISSUES 

In  this  section  we  discuss  some  of  the  issues  that  we  believe 
could  be  addressed  by  developing  appropriate  abstractions 
in  a  hierarchy  of  models. 

2.1  Algebraic  Properties  of  Operations 

When  modeling  a  cryptographic  protocol,  one  assumes 
that  it  obeys  a  certain  set  of  algebraic  identities.  For  exam¬ 
ple,  one  might  want  to  assume  that  encryption  and  decryp¬ 
tion  cancel  each  other  out,  or  that  exponentiation  for  Diffie- 
Hellman  commutes.  For  the  sake  of  an  efficient  analysis,  one 
would  like  to  use  as  few  of  these  identities  as  possible.  Thus, 
for  example,  most  formal  models  for  cryptographic  protocol 
analysis  model  the  system  as  a  free  algebra  where  only  the 
encryption  operator  is  modeled  explicitly.  The  decryption 
operator  is  modeled  implicitly  in  the  protocol  rules,  and  by 
stating  that  if  an  attacker  knows  an  encrypted  term  and  the 
key  it  was  encrypted  with,  then  it  can  produce  the  term. 
Although  there  are  examples  of  protocols  that  can  not  be 
modeled  or  analyzed  using  the  free  algebra  model  (see  for 
example  the  Simmons  Selective  Broadcast  protocol  analyzed 
by  us  in  [3]),  it  appears  to  be  adequate  for  most  protocols. 
However,  it  was  not  clear  in  which  cases  the  free  algebra 
model  was  sound  with  respect  to  the  more  detailed  model, 
until  Millen  recently  described  a  class  of  protocols  for  which 
this  soundness  result  holds  [5]. 

There  are  other  algebraic  properties  for  which  it  would  be 
helpful  to  have  similar  results.  What  properties  are  nec¬ 
essary  to  model  Diffie- Heilman,  and  under  what  circum¬ 
stances?  For  example,  such  questions  arise  about  systems 
such  as  the  protocols  developed  by  Ateniese  et  al.  in  [1] 
which  make  use  of  properties  of  DifHe-Hellman  exponenti¬ 
ation  such  as  commutativity  and  the  existence  of  inverses. 
The  homomorphic  properties  of  RSA  are  necessary  to  model 
primitives  such  as  blinded  signatures.  Can  these  properties 
ever  be  abstracted  away  from,  and  how?  Can  we  safely  ab¬ 
stract  away  from  other  properties  of  RSA?  What  about  the 
algebraic  properties  of  exclusive-or? 


Report  Documentation  Page 

Form  Approved 

OMB  No.  0704-0188 

Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 

VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number. 

1.  REPORT  DATE 

2003 

2.  REPORT  TYPE 

3.  DATES  COVERED 

00-00-2003  to  00-00-2003 

4.  TITLE  AND  SUBTITLE 

5a.  CONTRACT  NUMBER 

Towards  a  Hierarchy  of  Cryptographic  Protocol  Models 

5b.  GRANT  NUMBER 

5c.  PROGRAM  ELEMENT  NUMBER 

6.  AUTHOR(S) 

5d.  PROJECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Naval  Research  Laboratory, Center  for  High  Assurance  Computer 

Systems, 4555  Overlook  Avenue,  SW, Washington, DC, 20375 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

10.  SPONSOR/MONITOR'S  ACRONYM(S) 

11.  SPONSOR/MONITOR'S  REPORT 
NUMBER(S) 

12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 

14.  ABSTRACT 

15.  SUBJECT  TERMS 

16.  SECURITY  CLASSIFICATION  OF: 

17.  LIMITATION  OF 
ABSTRACT 

18.  NUMBER 

OF  PAGES 

2 

19a.  NAME  OF 
RESPONSIBLE  PERSON 

a.  REPORT 

unclassified 

b.  ABSTRACT 

unclassified 

c.  THIS  PAGE 

unclassified 

Standard  Form  298  (Rev.  8-98) 

Prescribed  by  ANSI  Std  Z39-18 


2.2  Representing  System  Failures 

A  protocol  should  be  designed  to  be  secure  against  certain 
kinds  of  system  failures  such  as,  for  example,  compromise 
of  old  session  keys.  Although  some  attention  has  been  paid 
to  this  in  the  formal  analysis  of  cryptographic  protocols, 
many  formal  systems  ignore  this  problem,  and  others  model 
only  some  types  of  vulnerabilities  (compromise  of  session 
keys,  but  not  master  keys,  for  instance).  On  the  other  hand, 
many  formulations  of  cryptographic  soundness  have  well- 
defined  failure  models.  Can  these  be  used  to  enrich  the 
failure  models  of  the  formal  systems? 

2.3  Disambiguating  Messages 

There  are  a  number  of  attacks  on  cryptographic  protocols 
that  rely  on  an  attacker’s  ability  to  pass  off  a  message  of  one 
kind  as  a  message  of  another.  For  example,  we  found  such 
an  attack  in  our  analysis  of  an  early  version  of  the  Group 
Domain  of  Interpretation  (GDOI)  protocol  [4].  Heather  et 
al.  [2]  have  shown  that  it  is  possible  in  certain  circumstances 
to  guarantee  security  against  typing  attacks  if  unambiguous 
formatting  is  used.  What  are  the  best  ways  of  identifying 
and  removing  vulnerabilities  that  arise  from  ambiguous  for¬ 
matting?  Can  this  be  done  at  the  start  of  the  security  anal¬ 
ysis,  so  that  during  the  rest  of  the  analysis  one  can  rely  on 
the  protocol’s  being  free  from  typing  attacks?  When  can  we 
enforce  use  of  an  unambiguous  formatting  system,  and  how 
can  we  deal  with  possible  interactions  with  legacy  systems 
which  may  not  use  unambiguous  formatting? 

3.  THE  HIERARCHY  AND  ITS  USES 

Once  we  have  identified  the  different  issues  that  need  to 
be  addressed,  we  can  develop  a  hierarchy  of  models  at  vary¬ 
ing  degrees  of  abstraction.  At  the  top  of  the  hierarchy  we 
would  have  the  classic  model  used  by  most  designers  of  anal¬ 
ysis  tools  for  cryptographic  protocols:  cryptosystems  mod¬ 
eled  by  free  algebras,  strong  typing,  and  the  only  failure 
mode  being  that  of  a  node  under  the  complete  control  of  an 
adversary.  At  a  slightly  lower  level  we  would  model  differ¬ 
ent  algebraic  properties  of  the  various  operations  used  (we 
would  probably  have  several  levels  of  algebraic  properties, 
as  a  matter  of  fact).  At  other  levels  we  would  have  different 
types  of  system  failures.  At  still  other  levels  we  would  model 
formatting  conventions.  At  the  bottom  level,  or  near  to  the 
bottom,  we  would  introduce  the  cryptographic  models  that 
underly  the  protocols. 


When  we  wished  to  analyze  a  protocol,  we  would  pick  the 
maximal  model  such  that  an  analysis  of  that  protocol  with 
respect  to  that  model  could  be  proved  sound  with  respect 
to  all  the  models  below  it.  The  exact  model  that  we  could 
choose  would  depend  our  ability  to  prove  that  the  protocol 
satisfies  certain  conditions.  Of  course,  it  would  be  in  our 
interest  to  prove  that  a  protocol  satisfies  the  conditions  that 
allow  us  to  use  the  maximal  model,  but  for  practical  reasons 
we  might  not  be  always  be  able  to  do  this.  In  that  case,  we 
would  choose  the  highest  ranking  model  feasible. 

4.  CONCLUSION 

In  this  position  paper  we  have  given  a  brief  outline  of 
a  strategy  for  rendering  the  analysis  of  cryptographic  pro¬ 
tocols  by  formal  methods  both  sound  and  tractable.  We 
believe  that  the  incorporation  of  cryptographic  models  is  an 
important  part  of  this  strategy,  but  this  is  only  part  of  the 
picture.  We  have  given  a  brief  overview  of  some  of  the  other 
issues  that  need  to  be  considered,  and  we  believe  that  others 
will  be  identified  in  the  future. 

5.  REFERENCES 

[1]  G.  Ateniese,  M.  Steiner,  and  G.  Tsudik.  New 
multiparty  authentication  services  and  agreement 
protocols.  IEEE  Journal  on  Selected  Areas  in 
Communications ,  18(4),  April  2000. 

[2]  J.  Heather,  S.  Schneider,  and  G.  Lowe.  How  to  prevent 
type  flaw  attacks  on  security  protocols.  In  Proceedings 
of  the  13th  IEEE  Computer  Security  Foundations 
Workshop.  IEEE  Computer  Society  Press. 

[3]  C.  Meadows.  Applying  formal  methods  to  the  analysis 
of  a  key  management  protocol.  Journal  of  Computer 
Security,  1(1),  January  1992. 

[4]  C.  Meadows,  P.  Syverson,  and  I.  Cervesato.  Formal 
specification  and  analysis  of  the  GDOI  protocol  using 
NPATRL  and  the  NRL  protocol  analyzer.  Journal  of 
Computer  Security,  2003.  to  appear. 

[5]  J.  Millcn.  On  the  freedom  of  decryption.  Information 
Processing  Letters,  86(6):329-323,  June  2003. 


